TCP MSS Value for WireGuard's UDP Configuration

On wireguard i have seen some of the sites arent working amd i think its an issue with tcp mss value. Can you please let me know what is the tcp mss value and is it possible to change it when wireguard in place.

The same websites are working over openvpn client.

I used to have that problem on some sites, but I have found that setting the MTU value on the client side Wireguard config to 1280 works with every site I have tried. It may cost a tiny bit of performance, but I like things that just work!


I echo that; my Certa seems to like a MTU of 1320 while 1280 on my Slate AX gives me just about line speed minus < 5.0 Mbps.

WireGuard is UDP based.

can anyone check if this isthe solution to tcp mss issue with some websites on wireguard?

WireGuard MTU fixes - Kerem Erkan

@alzhao can you please support me on this. Thanks in advance


There. Is. No. TCP. Value. Involved.

If you think there’s a problem with the MTU, drop its value to 1200 & increment in steps of 10 until resolved. GL GUI → VPN → WireGuard Client → $group → $name → […] → Edit → Item Mode → Edit WireGuard Configuration → MTU → $value → Apply.

Stop posting the same malformed question when it’s already been answered. Email GL.iNet if you’re still fixated on an answer from an ‘authority.’

Thanks for your response. My understandarding is that an packet has a specified size and within ip packet there is a specificed size for payload what we called is the actual data. So these are calculated through mtu, that means ethernet packet has an mtu of 1500 from which underlay protocols like pppoe and wireguard occupy some size due to which the payload size needs to be decreased as per the protocols used. Now when u use tcp mss value to 1460 this requries larger mtu like 1500 for it to pass through an interface else router will will drop the packet unless it is handled properly.

Wireguard protocol is udp that doesnt mean it everything is udp here. Underlay is udp where you have tcp packet to the destination.

I have never need to adjust a TCP value when using WireGuard, only WG’s MTU. The blog link you posted in this thread does show how that author adjusted the TCP MSS using IPTables. Fortunately the current v.4.x builds of GL firmware are based on OpenWrt v 21.0x, which also use IPTables.

I wouldn’t expect you to have much trouble if you were to attempt to replicate that author’s configuration although that is mere speculation.

Be aware future builds of GL firmware are switching to OpenWrt 22.0x, which instead use nftables. They should indicate that when reviewing that released version’s changelog.

bro, i absorbed a strange behavior i have mudi E750 and two AX1800 devices.

one AX1800 is running wireguard server and other two devices AX1800 and mudi are connecting as wireguard clients to the AX1800 wireguard server and on these two client devices i have vpn polices enabled and have same policies on them.

now the thing is AX1800 has a client the application sometime works and sometime doesn’t work. whereas on mudi the application doesnt work at all. i have collected packet captures for the reference. (29.7 KB)

@bring.fringe18 did u get a chance to check the captures?

@alzhao, can you please review the captures and let me know what is broken ?


Sorry, no I haven’t. Life’s other commitments are getting in the way.

Sorry I am not so experienced in this.

What I can suggest is that you send us email with more details, e.g. send us a wireguard config and your program to test if possible. Otherwise, we can try to debug remotely.

I’m not sure but using different version of release on mudi, it fixes the issue. now that I’m able to access the site without changing default MTU/MSS.

currently I’m using release 40306 → 2023-08-14 17:10:48

1 Like